diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
index f0922518e6b..fa771f2e2d5 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
@@ -616,7 +616,7 @@ func kmsPrefixTransformer(ctx context.Context, config *apiserverconfig.KMSConfig
 
 		// using AES-GCM by default for encrypting data with KMSv2
 		transformer := value.PrefixTransformer{
-			Transformer: envelopekmsv2.NewEnvelopeTransformer(envelopeService, kmsName, probe.getCurrentKeyID, probe.check, aestransformer.NewGCMTransformer),
+			Transformer: envelopekmsv2.NewEnvelopeTransformer(envelopeService, kmsName, probe.getCurrentKeyID, probe.check),
 			Prefix:      []byte(kmsTransformerPrefixV2 + kmsName + ":"),
 		}
 
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
index bd2fce29f7d..53ea34d41f5 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
@@ -20,18 +20,19 @@ package kmsv2
 import (
 	"context"
 	"crypto/aes"
-	"crypto/cipher"
 	"crypto/rand"
 	"fmt"
 	"time"
 
 	"github.com/gogo/protobuf/proto"
+
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/storage/value"
+	aestransformer "k8s.io/apiserver/pkg/storage/value/encrypt/aes"
 	kmstypes "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2alpha1"
 	"k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics"
 	"k8s.io/klog/v2"
@@ -71,8 +72,6 @@ type envelopeTransformer struct {
 	keyIDGetter       KeyIDGetterFunc
 	probeHealthzCheck ProbeHealthzCheckFunc
 
-	// baseTransformerFunc creates a new transformer for encrypting the data with the DEK.
-	baseTransformerFunc func(cipher.Block) value.Transformer
 	// cache is a thread-safe expiring lru cache which caches decrypted DEKs indexed by their encrypted form.
 	cache *simpleCache
 }
@@ -80,18 +79,17 @@ type envelopeTransformer struct {
 // NewEnvelopeTransformer returns a transformer which implements a KEK-DEK based envelope encryption scheme.
 // It uses envelopeService to encrypt and decrypt DEKs. Respective DEKs (in encrypted form) are prepended to
 // the data items they encrypt.
-func NewEnvelopeTransformer(envelopeService kmsservice.Service, providerName string, keyIDGetter KeyIDGetterFunc, probeHealthzCheck ProbeHealthzCheckFunc, baseTransformerFunc func(cipher.Block) value.Transformer) value.Transformer {
-	return newEnvelopeTransformerWithClock(envelopeService, providerName, keyIDGetter, probeHealthzCheck, baseTransformerFunc, cacheTTL, clock.RealClock{})
+func NewEnvelopeTransformer(envelopeService kmsservice.Service, providerName string, keyIDGetter KeyIDGetterFunc, probeHealthzCheck ProbeHealthzCheckFunc) value.Transformer {
+	return newEnvelopeTransformerWithClock(envelopeService, providerName, keyIDGetter, probeHealthzCheck, cacheTTL, clock.RealClock{})
 }
 
-func newEnvelopeTransformerWithClock(envelopeService kmsservice.Service, providerName string, keyIDGetter KeyIDGetterFunc, probeHealthzCheck ProbeHealthzCheckFunc, baseTransformerFunc func(cipher.Block) value.Transformer, cacheTTL time.Duration, clock clock.Clock) value.Transformer {
+func newEnvelopeTransformerWithClock(envelopeService kmsservice.Service, providerName string, keyIDGetter KeyIDGetterFunc, probeHealthzCheck ProbeHealthzCheckFunc, cacheTTL time.Duration, clock clock.Clock) value.Transformer {
 	return &envelopeTransformer{
-		envelopeService:     envelopeService,
-		providerName:        providerName,
-		keyIDGetter:         keyIDGetter,
-		probeHealthzCheck:   probeHealthzCheck,
-		cache:               newSimpleCache(clock, cacheTTL),
-		baseTransformerFunc: baseTransformerFunc,
+		envelopeService:   envelopeService,
+		providerName:      providerName,
+		keyIDGetter:       keyIDGetter,
+		probeHealthzCheck: probeHealthzCheck,
+		cache:             newSimpleCache(clock, cacheTTL),
 	}
 }
 
@@ -206,7 +204,7 @@ func (t *envelopeTransformer) addTransformer(encKey []byte, key []byte) (value.T
 	if err != nil {
 		return nil, err
 	}
-	transformer := t.baseTransformerFunc(block)
+	transformer := aestransformer.NewGCMTransformer(block)
 	// TODO(aramase): Add metrics for cache fill percentage with custom cache implementation.
 	t.cache.set(encKey, transformer)
 	return transformer, nil
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope_test.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope_test.go
index a0540d60f5a..20549c785d7 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope_test.go
@@ -32,7 +32,6 @@ import (
 
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/storage/value"
-	aestransformer "k8s.io/apiserver/pkg/storage/value/encrypt/aes"
 	kmstypes "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2alpha1"
 	"k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics"
 	"k8s.io/component-base/metrics/legacyregistry"
@@ -151,7 +150,7 @@ func TestEnvelopeCaching(t *testing.T) {
 				func(ctx context.Context) error {
 					return nil
 				},
-				aestransformer.NewGCMTransformer, tt.cacheTTL, fakeClock)
+				tt.cacheTTL, fakeClock)
 
 			ctx := testContext(t)
 			dataCtx := value.DefaultContext([]byte(testContextText))
@@ -233,7 +232,7 @@ func TestEnvelopeTransformerKeyIDGetter(t *testing.T) {
 				func(ctx context.Context) error {
 					return nil
 				},
-				aestransformer.NewGCMTransformer)
+			)
 
 			ctx := testContext(t)
 			dataCtx := value.DefaultContext([]byte(testContextText))
@@ -304,7 +303,7 @@ func TestTransformToStorageError(t *testing.T) {
 				func(ctx context.Context) error {
 					return nil
 				},
-				aestransformer.NewGCMTransformer)
+			)
 			ctx := testContext(t)
 			dataCtx := value.DefaultContext([]byte(testContextText))
 
@@ -599,7 +598,7 @@ func TestEnvelopeMetrics(t *testing.T) {
 			metrics.RecordInvalidKeyIDFromStatus(testProviderName, errCode)
 			return nil
 		},
-		aestransformer.NewGCMTransformer)
+	)
 
 	dataCtx := value.DefaultContext([]byte(testContextText))
 
@@ -720,7 +719,7 @@ func TestEnvelopeLogging(t *testing.T) {
 				func(ctx context.Context) error {
 					return nil
 				},
-				aestransformer.NewGCMTransformer, 1*time.Second, fakeClock)
+				1*time.Second, fakeClock)
 
 			dataCtx := value.DefaultContext([]byte(testContextText))
 			originalText := []byte(testText)